Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Ensure Service User with Write Permissions Issue

Avatar

Level 3

Hey guys,

 

I'm trying to ensure a service user on AEM as a Cloud Service with the following permissions on the "aces" property in a config json file

 

 

"type=allow;privileges=jcr:all;path=/content",
"type=allow;privileges=jcr:all;path=/conf",
"type=allow;privileges=jcr:all;path=/libs/msm/wcm/rolloutconfigs"

 

This works fine on my local, with the correct permissions being set in usradmin. Unfortunately, when I try and deploy this code, I receive the following error 

 

com.adobe.acs.commons.users.impl.EnsureAuthorizableException: Failed to ensure [ ADD ] of Service User [ writeStoreDataServiceUser ]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:137) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.activate(EnsureServiceUser.java:268) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:244) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:685) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:529) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:318) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:308) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:354) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:1000) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:973) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:918) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:349)
	at org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:249)
	at org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:362)
	at org.apache.felix.framework.Felix.getService(Felix.java:3984)
	at org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450)
	at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:88) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:675) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.getServiceObject(DependencyManager.java:2556) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.doInvokeBindMethod(DependencyManager.java:2075) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.invokeBindMethod(DependencyManager.java:2058) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeBindMethod(SingleComponentManager.java:443) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:333) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:301) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1200) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1121) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:928) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:864) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1152) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:114) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990)
	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838)
	at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545)
	at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4863)
	at org.apache.felix.framework.Felix.registerService(Felix.java:3834)
	at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328)
	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:929) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:915) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:133) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:984) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:752) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:674) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:437) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.enableComponents(ConfigurableComponentHolder.java:667) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.BundleComponentActivator.initialEnable(BundleComponentActivator.java:305) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator.loadComponents(Activator.java:554) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator.access$200(Activator.java:70) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator$ScrExtension.start(Activator.java:421) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.createExtension(AbstractExtender.java:196) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:169) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:49) [org.apache.felix.scr:2.1.30]
	at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:488)
	at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:420)
	at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:232)
	at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450)
	at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915)
	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834)
	at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516)
	at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4847)
	at org.apache.felix.framework.Felix.startBundle(Felix.java:2363)
	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1566)
	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only.
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:286) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:122) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:181) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at com.adobe.acs.commons.users.impl.EnsureAce.ensureAces(EnsureAce.java:180) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensureExistance(EnsureServiceUser.java:159) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:117) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	... 68 common frames omitted
Caused by: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only.
	at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.unsupported(ReadOnlyBuilder.java:44) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.setChildNode(ReadOnlyBuilder.java:200) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.core.SecureNodeBuilder.setChildNode(SecureNodeBuilder.java:314) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.plugins.tree.impl.AbstractMutableTree.addChild(AbstractMutableTree.java:75) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.core.MutableTree.addChild(MutableTree.java:199) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.plugins.tree.TreeUtil.addChild(TreeUtil.java:289) [org.apache.jackrabbit.oak-security-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.createAclTree(AccessControlManagerImpl.java:443) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:293) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:213) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.composite.CompositeAccessControlManager.setPolicy(CompositeAccessControlManager.java:116) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:125) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:280) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	... 73 common frames omitted

with writeStoreDataServiceUser being the name of my service user.

Oddly enough, when I change the permissions to be read only (see below) it ensures fine.

"type=allow;privileges=jcr:read;path=/content"

 

I'm wondering if there might be a setting in the the cloud manager somewhere that prevents the ensuring of service users with write permissions? Or is there something wrong with the structure of my "aces" property? I investigated the "builder is read-only" error since that seems to be the root of the problem, but was unable to dig anything up in the documentation

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

ensure.png

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/s...

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

ensure.png

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/s...